New! Vulnerability Priority Rating (VPR)
Tenable calculates a dynamic VPR for every vulnerability. VPR combines vulnerability information with threat intelligence and machine learning algorithms to predict which vulnerabilities are most likely to be exploited in attacks. Read more about what VPR is and how it's different from CVSS.
VPR Score: 9.6
SynopsisThe remote openSUSE host is missing a security update.
DescriptionThe openSUSE 13.2 kernel was updated to receive various security and bugfixes.
The following security bugs were fixed :
- CVE-2015-8956: The rfcomm_sock_bind function in net/bluetooth/rfcomm/sock.c in the Linux kernel allowed local users to obtain sensitive information or cause a denial of service (NULL pointer dereference) via vectors involving a bind system call on a Bluetooth RFCOMM socket (bnc#1003925).
- CVE-2016-5195: A local privilege escalation using MAP_PRIVATE was fixed, which is reportedly exploited in the wild (bsc#1004418).
- CVE-2016-8658: Stack-based buffer overflow in the brcmf_cfg80211_start_ap function in drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg8021 1.c in the Linux kernel allowed local users to cause a denial of service (system crash) or possibly have unspecified other impact via a long SSID Information Element in a command to a Netlink socket (bnc#1004462).
- CVE-2016-7117: Use-after-free vulnerability in the
__sys_recvmmsg function in net/socket.c in the Linux kernel allowed remote attackers to execute arbitrary code via vectors involving a recvmmsg system call that is mishandled during error processing (bnc#1003077).
- CVE-2016-0823: The pagemap_open function in fs/proc/task_mmu.c in the Linux kernel before 3.19.3, as used in Android 6.0.1 before 2016-03-01, allowed local users to obtain sensitive physical-address information by reading a pagemap file, aka Android internal bug 25739721 (bnc#994759).
- CVE-2016-7425: The arcmsr_iop_message_xfer function in drivers/scsi/arcmsr/arcmsr_hba.c in the Linux kernel did not restrict a certain length field, which allowed local users to gain privileges or cause a denial of service (heap-based buffer overflow) via an ARCMSR_MESSAGE_WRITE_WQBUFFER control code (bnc#999932).
- CVE-2016-6327: drivers/infiniband/ulp/srpt/ib_srpt.c in the Linux kernel allowed local users to cause a denial of service (NULL pointer dereference and system crash) by using an ABORT_TASK command to abort a device write operation (bnc#994748).
- CVE-2016-6828: The tcp_check_send_head function in include/net/tcp.h in the Linux kernel did not properly maintain certain SACK state after a failed data copy, which allowed local users to cause a denial of service (tcp_xmit_retransmit_queue use-after-free and system crash) via a crafted SACK option (bnc#994296).
- CVE-2016-5696: net/ipv4/tcp_input.c in the Linux kernel did not properly determine the rate of challenge ACK segments, which made it easier for man-in-the-middle attackers to hijack TCP sessions via a blind in-window attack (bnc#989152)
- CVE-2016-6480: Race condition in the ioctl_send_fib function in drivers/scsi/aacraid/commctrl.c in the Linux kernel allowed local users to cause a denial of service (out-of-bounds access or system crash) by changing a certain size value, aka a 'double fetch' vulnerability (bnc#991608).
- CVE-2015-7513: arch/x86/kvm/x86.c in the Linux kernel did not reset the PIT counter values during state restoration, which allowed guest OS users to cause a denial of service (divide-by-zero error and host OS crash) via a zero value, related to the kvm_vm_ioctl_set_pit and kvm_vm_ioctl_set_pit2 functions (bnc#960689).
- CVE-2016-1237: nfsd in the Linux kernel allowed local users to bypass intended file-permission restrictions by setting a POSIX ACL, related to nfs2acl.c, nfs3acl.c, and nfs4acl.c (bnc#986570).
The following non-security bugs were fixed :
- AF_VSOCK: Shrink the area influenced by prepare_to_wait (bsc#994520).
- xen: Fix refcnt regression in xen netback introduced by changes made for bug#881008 (bnc#978094)
- MSI-X: fix an error path (luckily none so far).
- usb: fix typo in wMaxPacketSize validation (bsc#991665).
- usb: validate wMaxPacketValue entries in endpoint descriptors (bnc#991665).
- Update patches.fixes/0002-nfsd-check-permissions-when-setting-A CLs.patch (bsc#986570 CVE#2016-1237).
- Update patches.fixes/0001-posix_acl-Add-set_posix_acl.patch (bsc#986570 CVE#2016-1237).
- apparmor: fix change_hat not finding hat after policy replacement (bsc#1000287).
- arm64: Honor __GFP_ZERO in dma allocations (bsc#1004045).
- arm64: __clear_user: handle exceptions on strb (bsc#994752).
- arm64: dma-mapping: always clear allocated buffers (bsc#1004045).
- arm64: perf: reject groups spanning multiple HW PMUs (bsc#1003931).
- blkfront: fix an error path memory leak (luckily none so far).
- blktap2: eliminate deadlock potential from shutdown path (bsc#909994).
- blktap2: eliminate race from deferred work queue handling (bsc#911687).
- btrfs: ensure that file descriptor used with subvol ioctls is a dir (bsc#999600).
- cdc-acm: added sanity checking for probe() (bsc#993891).
- kaweth: fix firmware download (bsc#993890).
- kaweth: fix oops upon failed memory allocation (bsc#993890).
- netback: fix flipping mode (bsc#996664).
- netback: fix flipping mode (bsc#996664).
- netfront: linearize SKBs requiring too many slots (bsc#991247).
- nfsd: check permissions when setting ACLs (bsc#986570).
- posix_acl: Add set_posix_acl (bsc#986570).
- ppp: defer netns reference release for ppp channel (bsc#980371).
- tunnels: Do not apply GRO to multiple layers of encapsulation (bsc#1001486).
- usb: hub: Fix auto-remount of safely removed or ejected USB-3 devices (bsc#922634).
- x86: suppress lazy MMU updates during vmalloc fault processing (bsc#951155).
- xen-netback-generalize.patch: Fold back into base patch.
- xen3-patch-2.6.31.patch: Fold back into base patch.
- xen3-patch-3.12.patch: Fold bac into base patch.
- xen3-patch-3.15.patch: Fold back into base patch.
- xen3-patch-3.3.patch: Fold back into base patch.
- xen3-patch-3.9.patch: Fold bac into base patch.
- xen3-patch-3.9.patch: Fold back into base patch.
- xenbus: do not bail early from xenbus_dev_request_and_reply() (luckily none so far).
- xenbus: inspect the correct type in xenbus_dev_request_and_reply().
SolutionUpdate the affected the Linux Kernel packages.